Manage NSG flow logs using Azure PowerShell
Important
On September 30, 2027, network security group (NSG) flow logs will be retired. As part of this retirement, you'll no longer be able to create new NSG flow logs starting June 30, 2025. We recommend migrating to virtual network flow logs, which overcome the limitations of NSG flow logs. After the retirement date, traffic analytics enabled with NSG flow logs will no longer be supported, and existing NSG flow logs resources in your subscriptions will be deleted. However, NSG flow logs records won't be deleted and will continue to follow their respective retention policies. For more information, see the official announcement.
Network security group flow logging is a feature of Azure Network Watcher that allows you to log information about IP traffic flowing through a network security group. For more information about network security group flow logging, see NSG flow logs overview.
In this article, you learn how to create, change, disable, or delete an NSG flow log using Azure PowerShell. You can learn how to manage an NSG flow log using the Azure portal, Azure CLI, REST API, or ARM template.
Prerequisites
An Azure account with an active subscription. Create a trial subscription.
Insights provider. For more information, see Register Insights provider.
A network security group. If you need to create a network security group, see Create, change, or delete a network security group.
An Azure storage account. If you need to create a storage account, see create a storage account using PowerShell.
Azure PowerShell installed locally.
- You can Azure PowerShell locally to run the cmdlets. This article requires the Az PowerShell module. For more information, see How to install Azure PowerShell. To find the installed version, run
Get-InstalledModule -Name Az
. If you run PowerShell locally, sign in to Azure using the Connect-AzAccount -Environment AzureChinaCloud cmdlet.
- You can Azure PowerShell locally to run the cmdlets. This article requires the Az PowerShell module. For more information, see How to install Azure PowerShell. To find the installed version, run
Register insights provider
Microsoft.Insights provider must be registered to successfully log traffic flowing through a network security group. If you aren't sure if the Microsoft.Insights provider is registered, use Register-AzResourceProvider to register it.
# Register Microsoft.Insights provider.
Register-AzResourceProvider -ProviderNamespace 'Microsoft.Insights'
Create a flow log
Get the properties of the network security group that you want to create the flow log for and the storage account that you want to use to store the created flow log using Get-AzNetworkSecurityGroup and Get-AzStorageAccount respectively.
# Place the network security group properties into a variable. $nsg = Get-AzNetworkSecurityGroup -Name 'myNSG' -ResourceGroupName 'myResourceGroup' # Place the storage account properties into a variable. $sa = Get-AzStorageAccount -Name 'myStorageAccount' -ResourceGroupName 'myResourceGroup'
Note
- If the storage account is in a different subscription, the network security group and storage account must be associated with the same Azure Active Directory tenant. The account you use for each subscription must have the necessary permissions.
Create the flow log using New-AzNetworkWatcherFlowLog. The flow log is created in the Network Watcher default resource group NetworkWatcherRG.
# Create a version 1 NSG flow log. New-AzNetworkWatcherFlowLog -Name 'myFlowLog' -Location 'chinaeast' -TargetResourceId $nsg.Id -StorageId $sa.Id -Enabled $true
Create a flow log and traffic analytics workspace
Get the properties of the network security group that you want to create the flow log for and the storage account that you want to use to store the created flow log using Get-AzNetworkSecurityGroup and Get-AzStorageAccount respectively.
# Place the network security group properties into a variable. $nsg = Get-AzNetworkSecurityGroup -Name 'myNSG' -ResourceGroupName 'myResourceGroup' # Place the storage account properties into a variable. $sa = Get-AzStorageAccount -Name 'myStorageAccount' -ResourceGroupName 'myResourceGroup'
Note
- The storage account can't have network rules that restrict network access to only Azure services or specific virtual networks.
- If the storage account is in a different subscription, the network security group and storage account must be associated with the same Azure Active Directory tenant. The account you use for each subscription must have the necessary permissions.
Create a traffic analytics workspace using New-AzOperationalInsightsWorkspace.
# Create a traffic analytics workspace and place its properties into a variable. $workspace = New-AzOperationalInsightsWorkspace -Name 'myWorkspace' -ResourceGroupName 'myResourceGroup' -Location 'chinaeast'
Create the flow log using New-AzNetworkWatcherFlowLog. The flow log is created in the Network Watcher default resource group NetworkWatcherRG.
# Create a version 1 NSG flow log with traffic analytics. New-AzNetworkWatcherFlowLog -Name 'myFlowLog' -Location 'chinaeast' -TargetResourceId $nsg.Id -StorageId $sa.Id -Enabled $true -EnableTrafficAnalytics -TrafficAnalyticsWorkspaceId $workspace.ResourceId
Change a flow log
You can use Set-AzNetworkWatcherFlowLog to change the properties of a flow log. For example, you can change the flow log version or disable traffic analytics.
# Place the network security group properties into a variable.
$nsg = Get-AzNetworkSecurityGroup -Name 'myNSG' -ResourceGroupName 'myResourceGroup'
# Place the storage account properties into a variable.
$sa = Get-AzStorageAccount -Name 'myStorageAccount' -ResourceGroupName 'myResourceGroup'
# Update the NSG flow log.
Set-AzNetworkWatcherFlowLog -Name 'myFlowLog' -Location 'chinaeast' -TargetResourceId $nsg.Id -StorageId $sa.Id -Enabled $true -FormatVersion 2
List all flow logs in a region
Use Get-AzNetworkWatcherFlowLog to list all NSG flow log resources in a particular region in your subscription.
# Get all NSG flow logs in China East region.
Get-AzNetworkWatcherFlowLog -Location 'chinaeast' | format-table Name
Note
To use the -Location
parameter with Get-AzNetworkWatcherFlowLog
cmdlet, you need an additional Reader permission in the NetworkWatcherRG resource group.
View details of a flow log resource
Use Get-AzNetworkWatcherFlowLog to see details of a flow log resource.
# Get the details of a flow log.
Get-AzNetworkWatcherFlowLog -Name 'myFlowLog' -Location 'chinaeast'
Note
To use the -Location
parameter with Get-AzNetworkWatcherFlowLog
cmdlet, you need an additional Reader permission in the NetworkWatcherRG resource group.
Download a flow log
The storage location of a flow log is defined at creation. To access and download flow logs from your storage account, you can use Azure Storage Explorer. Fore more information, see Get started with Storage Explorer.
NSG flow log files saved to a storage account follow this path:
https://{storageAccountName}.blob.core.chinacloudapi.cn/insights-logs-networksecuritygroupflowevent/resourceId=/SUBSCRIPTIONS/{subscriptionID}/RESOURCEGROUPS/{resourceGroupName}/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/{NetworkSecurityGroupName}/y={year}/m={month}/d={day}/h={hour}/m=00/macAddress={macAddress}/PT1H.json
For information about the structure of a flow log, see Log format of NSG flow logs.
Disable a flow log
To temporarily disable a flow log without deleting it, use Set-AzNetworkWatcherFlowLog with the -Enabled $false
parameter. Disabling a flow log stops flow logging for the associated network security group. However, the flow log resource remains with all its settings and associations. You can re-enable it at any time to resume flow logging for the configured network security group.
Note
If traffic analytics is enabled for a flow log, it must disabled before you can disable the flow log.
# Place the network security group properties into a variable.
$nsg = Get-AzNetworkSecurityGroup -Name 'myNSG' -ResourceGroupName 'myResourceGroup'
# Place the storage account properties into a variable.
$sa = Get-AzStorageAccount -Name 'myStorageAccount' -ResourceGroupName 'myResourceGroup'
# Update the NSG flow log.
Set-AzNetworkWatcherFlowLog -Enabled $false -Name 'myFlowLog' -Location 'chinaeast' -TargetResourceId $nsg.Id -StorageId $sa.Id
Delete a flow log
To permanently delete an NSG flow log, use Remove-AzNetworkWatcherFlowLog command. Deleting a flow log deletes all its settings and associations. To begin flow logging again for the same network security group, you must create a new flow log for it.
# Delete the flow log.
Remove-AzNetworkWatcherFlowLog -Name 'myFlowLog' -Location 'chinaeast'
Note
Deleting a flow log does not delete the flow log data from the storage account. Flow logs data stored in the storage account follow the configured retention policy.
Related content
- To learn how to use Azure built-in policies to audit or deploy NSG flow logs, see Manage NSG flow logs using Azure Policy.
- To learn about traffic analytics, see Traffic analytics.